This chart shows Countries with Highest Number of Users Attacked with Ransomware.

Ransomware is a type of malicious software from cryptovirology that threatens to publish the victim's data or perpetually block access to it unless a ransom is paid. While some simple ransomware may lock the system in a way which is not difficult for a knowledgeable person to reverse, more advanced malware uses a technique called cryptoviral extortion, in which it encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them.

In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem – and difficult to trace digital currencies such as Ukash and Bitcoin are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

Ransomware attacks are typically carried out using a Trojan that is disguised as a legitimate file that the user is tricked into downloading or opening when it arrives as an email attachment. However, one high-profile example, the "WannaCry worm", traveled automatically between computers without user interaction.

Encrypting ransomware returned to prominence in late 2013 with the propagation of CryptoLocker—using the Bitcoin digital currency platform to collect ransom money. In December 2013, ZDNet estimated based on Bitcoin transaction information that between 15 October and 18 December, the operators of CryptoLocker had procured about US$27 million from infected users.

TheMicrosoft Malware Protection Center identified a trend away from WSF files in favor of LNK files and PowerShell scripting.These LNK shortcut files install Locky ransomware by automating infection operations rather than relying on traditional user downloads of WSF files—all of which is made possible by the universal PowerShell Windows application.

Unfortunately, cyber criminals have been able to leverage PowerShell for their attacks for years. In a recent report, the application was found to be involved in nearly 40% of endpoint security incidents. While attackers have been finding weaknesses in the Windows operating system for years, it’s clear that there’s something problematic with PowerShell scripting.

Some ransomware strains have used proxies tied to Tor hidden services to connect to their command and control servers, increasing the difficulty of tracing the exact location of the criminals.Furthermore, dark web vendors have increasingly started to offer the technology as a service.